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• ■ Abstract 

C/3 . 

O ■ In this work, a wide family of LFSR-based sequence generators, the 

so-called Clock-Controlled Shrinking Generators (CCSGs), has been an- 
alyzed and identified with a subset of linear Cellular Automata (CA). In 
^ ' fact, a pair of linear models describing the behavior of the CCSGs can 

f^ ' be derived. The algorithm that converts a given CCSG into a CA-based 

00 . linear model is very simple and can be applied to CCSGs in a range of 

Cn ' practical interest. The linearity of these cellular models can be advanta- 

CN I geously used in two different ways: (a) for the analysis and/or cryptanal- 

(/-\ . ysis of the CCSGs and (b) for the reconstruction of the output sequence 

C^ ' obtained from this kind of generators. 

f^ , Keywords: Cellular automata. Clock-controlled generators. Pseudo- 

random sequence. Linear modelling 
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1 Introduction 

Cellular Automata (CA) are discrete dynamic systems characterized by a simple 
structure but a complex behavior, see [5], [13], [TS], [12] and [H]. They are built 
up by individual elements, called cells, related among them in many varied 
ways. CA have been used in application areas so different as physical system 
simulation, biological process, species evolution, socio-economical models or test 
pattern generation. Their simple, modular, and cascable structure makes them 
very attractive for VLSI implementations. CA can be characterized by several 
parameters which determine their behavior e.g. the number of states per cell. 
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the function $ (the so-called rule) under which the cellular automaton evolves to 
the next state, the number of neighbor cells which are included in $, the number 
of preceding states included in $, the geometric structure and dimension of the 
automaton (the cells can be arranged on a line or in a square or cubic lattice in 
two, three or more dimensions), ... etc. 

On the other hand. Linear Feedback Shift Registers (LFSRs) ^U^ are elec- 
tronic devices currently used in the generation of pseudorandom sequences. The 
inherent simplicity of LFSRs, their ease of implementation, and the good sta- 
tistical properties of their output sequences turn them into natural building 
blocks for the design of pseudorandom sequence generators with applications 
in spread-spectrum communications, circuit testing, error-correcting codes, nu- 
merical simulations or cryptography. 

CA and LFSRs are special forms of a more general mathematical structure: 
finite state machines [IB]. In recent years, one-dimensional CA have been pro- 
posed as an alternative to LFSRs ([T], [3], [H] and [3D]) in the sense that every 
sequence generated by a LFSR can be obtained from one-dimensional CA too. 
Pseudorandom sequence generators currently involve several LFSRs combined 
by means of nonlinear functions or irregular clocking techniques (see [M], [T7]V 
Then, the question that arises in a natural way is: are there one-dimensional 
CA able to produce the sequence obtained from any LFSR-based generator? 
The answer is yes and, in fact, this paper considers the problem of given a par- 
ticular LFSR-based generator how to find one-dimensional CA that reproduce 
its output sequence. More precisely, in this work it is shown that a wide class 
of LFSR-based nonlinear generators, the so-called Clock-Controlled Shrinking 
Generators (CCSGs) [12], can be described in terms of one-dimensional CA 
configurations. The automata here presented unify in a simple structure the 
above mentioned class of sequence generators. Moreover, CCSGs that is gen- 
erators conceived and designed as nonlinear models are converted into linear 
one-dimensional CA. Once the generators have been linearized, all the theoret- 
ical background on linear CA found in the literature can be applied to their 
analysis and/or cryptanalysis. The conversion procedure is very simple and can 
be realized in a range of practical interest. 

The paper is organized as follows: in section 2, basic concepts e.g. one- 
dimensional CA, CCSGs or the Cattel and Muzio cellular synthesis method are 
introduced. A simple algorithm to determine the pair of CA corresponding to a 
particular shrinking generator and its generalization to Clock-Controlled Shrink- 
ing Generators are given in sections 3 and 4, respectively. A simple approach to 
the reconstruction of the generated sequence that exploits the linearity of the 
CA-based model is presented in section 5. Finally, conclusions in section 6 end 
the paper. 

2 Basic Structures 

In the following subsections, we introduce the general characteristics of the basic 
structures we are dealing with: one-dimensional cellular automata, the shrinking 



generator and the class of clock-controlled shrinking generators. Throughout 
the work, only binary CA and LFSRs will be considered. In addition, all the 
LFSRs we are dealing with are maximal-length LFSRs whose output sequences 
are PA^-sequences [TU] , 

2.1 One-Dimensional Cellular Automata 

One-dimensional cellular automata can be described as n-cell registers [S] , whose 
cell contents are updated at the same time according to a particular rule; that is 
to say a fc-variable function denoted by $. If the function $ is a linear function, 
so is the cellular automaton. When k input binary variables are considered, then 
there is a total of 2*^ different neighbor configurations. Therefore, for cellular 
automata with binary contents there can be up to 2^ different mappings to the 
next state. Moreover, if fc = 2r-|-l, then the next state x*^^ of the cell x* depends 
on the current state of k neighbor cells x*'''^ = $(a;*_^, . . . , a;*, . . . , x*^^) (i = 
l,...,n). 

CA are called uniform whether all cells evolve under the same rule while 
CA are called hybrid whether different cells evolve under different rules. At the 
ends of the array, two different boundary conditions are possible: null automata 
when cells with permanent null contents are supposed adjacent to the extreme 
cells or periodic automata when extreme cells are supposed adjacent. 

In this paper, all the automata considered will be one-dimensional null hybrid 
CA with fc = 3 and linear rules 90 and 150. Such rules are described as follows: 

Rule 90 Rule 150 

For an one-dimensional null hybrid cellular automaton of length n — \Q 
cells, configuration rules ( 90, 150, 150, 150, 90, 90, 150, 150, 150, 90 ) and initial 
state (0,0,0,1,1, 1,0,1,1,0), Table [1] illustrates the formation of its output 
sequences (binary sequences read vertically) and the succession of states (binary 
configurations of 10 bits read horizontally). For the above mentioned rules, the 
different states of the automaton are grouped in closed cycles. The number of 
different output sequences for a particular cycle is < n as the same sequence 
(although shifted) may appear simultaneously in different cells. At the same 
time, all the sequences in a cycle will have the same period and linear complexity 
[13] as well as any output sequence of the automaton can be produced at any 
cell provided that we get the right state cycle. 

2.2 The Shrinking Generator 

The shrinking generator is a binary sequence generator [7] composed by two 
LFSRs : a control register, called i?i, that decimates the sequence produced by 
the other register, called i?2. We denote by Lj {j = 1,2) their corresponding 
lengths and by Pj{x) G GF{2)[x] {j = 1,2) their corresponding characteristic 
polynomials jlOj . 



Table 1: An one-dimensional null hybrid linear cellular automaton of 10 cells 
with rule 90 and rule 150 starting at a given initial state 
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The sequence produced by the LFSR i?i, that is {ui}, controls the bits of 
the sequence produced by i?2, that is {6i}, which are included in the output 
sequence {cj} (the shrunken sequence), according to the following rule P: 

1 . If flj = 1 =^ Cj = bi 

2. If flj = =^ bi is discarded. 

A simple example illustrates the behavior of this structure. 
Example 1: Let us consider the following LFSRs: 

1. Shift register Ri of length Li = 3, characteristic polynomial Pi{x) = 
1 + x^ + x"^ and initial state ISx — (1,0,0). The sequence generated by 
Ri is {ai\ == {1, 0, 0, 1, 1, 1, 0} with period Ti == 2^i - 1 = 7. 

2. Shift register i?2 of length L2 = 4, characteristic polynomial P2{x) = 
1+x+x^ and initial state IS2 — (1, 0, 0, 0). The sequence generated by i?2 
is {6,} = {1,0,0,0, 1,0,0,1,1,0, 1,0, 1,1,1} with period Ta = 2^2_i = 15, 

The output sequence {cj} is given by: 

• {a,} ^1001110100111010011101 

• {h} -^ 1000 10011010 1111000 100 

• {cj} ^1010110110010 

The underlined bits or 1_ in {&i} are discarded. In brief, the sequence 
produced by the shrinking generator is an irregular decimation oi {bi} from the 
bits of {ui}. 



According to [7] , the period of the shrunken sequence is 

T= (2^2 -1)2(^1-1) (1) 

and its linear complexity [17 , notated LC, satisfies the following inequality 

^^2(^1-2) <LC'< 2,2 2(^1-1). (2) 

In addition, it can be proved [7 that the output sequence has some nice dis- 
tributional statistics too. Therefore, this scheme is suitable for practical imple- 
mentation of stream cipher cryptosystems and pattern generators. 

2.3 The Clock-Controlled Shrinking Generators 

The Clock-Controlled Shrinking Generators constitute a wide class of clock- 
controlled sequence generators [12 with applications in cryptography, error cor- 
recting codes and digital signature. An CCSG is a sequence generator composed 
of two LFSRs notated i?i and i?2 . The parameters of both registers are defined 
as those of subsection 2.2. At any time f ,the control register i?i is clocked nor- 
mally while the second register i?2 is clocked a number of times given by an 
integer decimation function notated Xt- In fact, if v4o(i), Ai{t), . . . , AL^-i{t) 
are the binary cell contents of Ri at time t, then Xt is defined as 

Xt = l + 2°A,„ {t) + 2^ A,, (t) + . . . + 2"'-M,„_, {t) (3) 

where zq, ii, . . . , iw-\ G {0, 1, . . . , Li — 1} and < w < Li — 1. 

In this way, the output sequence of an CCSG is obtained from a double 
decimation. First, {5j} the output sequence of i?2 is decimated by means of Xt 
giving rise to the sequence {fe^}. Then, the same decimation rule P, defined in 
subsection 2.2, is applied to the sequence {6^}. Remark that if Xt = 1 (no cells 
are selected in i?i), then the proposed generator is just the shrinking generator. 
Let us see a simple example of CCSG. 

Example 2: For the same LFSRs defined in the previous example and the 
fimction Xt — 1 + 2"ylo(t) with w — 1, the decimated sequence {6^} is given by: 

• {h} -> 1000 1001101 Oil 11000100 110 101111 

• Xt ^2112221211222121122 

• {b'^ ^10010110111010101011 

According to the decimation function Xt, the underlined bits or 1 in {bt} 
are discarded in order to produce the sequence {&^}. Then the output sequence 
{cj} of the CCSG output sequence is given by: 

• {a,} ^1001110100111010011101 

• {b'il -^ 10010 1101110 101010 11 



{cj} ^ 1 1 1 1 1 1 1 1 



The underlined bits or 1_ in {6^} are discarded. 

In brief, the sequence produced by an CCSG is an irregular double decima- 
tion of the sequence generated by i?2 from the function Xt and the bits of i?i. 
This construction allows one to generate a large family of different sequences by 
using the same LFSR initial states and characteristic polynomials but modifying 
the decimation function. Period, linear complexity and statistical properties of 
the generated sequences by CCSGs have been established in [T^ . 

2.4 Cattel and Muzio Synthesis Algorithm 

The Cattell and Muzio synthesis algorithm \^. presents a method of obtaining 
two CA (based on rules 90 and 150) corresponding to a given polynomial. Such 
an algorithm takes as input an irreducible polynomial Q{x) G GF{2)[x] defined 
over a finite field and computes two reversal linear CA whose output sequences 
have Q{x) as characteristic polynomial. Such CA are written as binary strings 
with the following codification: ~ rule 90 and 1 — rule 150. The theoretical 
foundations of the algorithm can be found in [5] . The total number of operations 
required for this algorithm is listed in [4] (Table II, page 334) . It is shown that 
the number of operations grows linearly with the degree of the polynomial, so 
the method does not suffer from any sort of exponential blow-up. The method 
is efficient for all practical applications (e.g. in 1996 finding a pair of length 
300 CA took 16 CPU seconds on a SPARC 10 workstation). For cryptographic 
applications, the degree of the irreducible (primitive) polynomial is L2 ~ 64, so 
that the consuming time is negligible. 

Finally, a list of One-Dimensional Linear Hybrid Cellular Automata of De- 
gree Through 500 can be found in [B]. 

3 CA-Based Linear Models for the Shrinking 
Generator 

In this section, an algorithm to determine the pair of one-dimensional linear CA 
corresponding to a given shrinking generator is presented. Such an algorithm is 
based on the following results: 

Lemma 3.1 The characteristic polynomial of the shrunken sequence is of the 
form P{x)^ , where P(x) € GF{2)[x] is a L2-degree polynomial and N is an 
integer satisfying the inequality 2^^'^^^' < N < 2^^'^~^' . 

Sketch of proof. The idea of the proof consists in demonstrating the uniqueness 
of the polynomial P{x) that defines the linear recurrence relation satisfied by 
{cj} for both the upper and lower bounds on the linear complexity. The values 
of such bounds are given in equation (2). □ 



Lemma 3.2 Let P2ix) £ GF{2)[x] be the characteristic polynomial of R2 and 
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let a be a root of P2(x) in the extension field GF{2^). Then, P{x) 6 GF{2)[. 
is the characteristic polynomial of cyclotomic coset 2^^ — 1, that is 

P{x) = (x + a^){x + a^^) ...{x + a^''^'^) (4) 

being E an integer given by 

E = 2° + 2^ + ... + 2^^-^ . (5) 

Sketch of proof. The shrunken sequence can be written as an interleaved se- 
quence [TT] made out of an unique PA^-sequence repeated 2'^^^"^^ times where 
2(^1-1) is the number of I's in a full period of {oi}. Such a FA^-scquence is 
obtained from {bi} taking digits separated a distance 2^^ — 1. That is the 
PA^-sequence is the characteristic sequence associated with the cyclotomic coset 
2^1 — 1 whose characteristic polynomial is P{x). D 

Remark that P{x) depends exclusively on the characteristic polynomial of 
the register R2 and on the length Li of the register i?i. In addition, the poly- 
nomial P{x) will be the input to the Cattell and Muzio synthesis algorithm [3]. 
Based on such an algorithm, the following result is derived: 

Proposition 3.3 Let Q{x) G GF{2)[x] be a polynomial defined over a finite 
field and let si and S2 two binary strings codifying the two linear CA obtained 
from the Cattell and Muzio algorithm. Then, the two binary strings correspond- 
ing to the polynomial Q{x) ■ Q{x) are: 

Sl^S^*S* i = l,2 

where Si is the binary string Si whose least significant bit has been complemented, 
S* is the mirror image of Si and the symbol * denotes concatenation. 

Sketch of proof. The result is just a generalization of the Cattell and Muzio 
synthesis algorithm, see [1] and [S]. The concatenation is due to the fact that 
rule 90 (150) at the end of the array in null automata is equivalent to two 
consecutive rules 150 (90) with identical sequences. □ 

According to the previous results, the following linearization algorithm is 
introduced: 

Input: A shrinking generator characterized by two LFSRs, Ri and R2, with 
their corresponding lengths, Li and L2, and the characteristic polynomial P2{x) 
of the register R2 . 

Step 1: From Li and ^2(2;), compute the polynomial P{x) as 

P{x) = {x + a^)(x + a^B) . . . (x + a^^''"^) (6) 

with£; = 2" + 2i + ... + 2^1-1. 



Step 2: From P{x), apply the Cattell and Muzio synthesis algorithm [3] to 
determine the two linear CA (with rules 90 and 150), notated Si, whose 
characteristic polynomial is P{x). 

Step 3: For each Si separately, we proceed: 

3.1 Complement its least significant bit. The resulting binary string is 
notated Si. 

3.2 Compute the mirror image of Si, notated S* , and concatenate both 
strings 

S^ — Si* S^ . 

3.3 Apply steps 3.1 and 3.2 to each S[ recursively ii — 1 times. 

Output: Two binary strings of length n — L2 2^^~^ codifying the linear 
CA corresponding to the given shrinking generator. 

Remark 3.4 The characteristic polynomial of the register Ri is not needed. 
Thus all the shrinking generators with the same R2 but different registers Ri 
(all of them with the same length Li) can be modelled by the same pair of one- 
dimensional linear CA. 

Remark 3.5 It can be noticed that the computational requirements of the lin- 
earization algorithm are minimum. In fact, it just consists in the application 
of the Cattell and Muzio synthesis algorithm whose consuming time is negligible 
plus (Li — 1) concatenations of binary strings. Both procedures can be carried 
out on a simple PC. 

In any case, thanks to this simple algorithm a linear model producing the 
output sequence of the shrinking generator is obtained. In order to clarify the 
previous steps a simple numerical example is presented. 

Input: A shrinking generator characterized by two LFSRs Ri of length 
Li — 3 and R2 of length L2 — 5 and characteristic polynomial P2{x) = I + x + 
x^ + a;"* + x^. Now E = 2^ ~ 1 

Step 1: P{x) is the characteristic polynomial of the cyclotomic coset 7. Thus, 

P{x) = l + x^ +x^ . 

Step 2: From P(x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P{x) can be 
determined. Such CA are written in binary format as: 

1111 
11110 



Step 3: Computation of the required pair of CA. 
For the first automaton: 

1111 

1110 1110 

01110011111111001110 (final automaton) 

For the second automaton: 

11110 

1111111111 

11111111100111111111 (final automaton) 

For each automaton, the procedure in Step 3 has been carried out twice 
as ii — 1 = 2. 

Output: Two binary strings of length n = 20 codifying the required 
CA. 

In this way, we have obtained a pair of linear CA among whose output se- 
quences we can obtain the shrunken sequence corresponding to the given shrink- 
ing generator. Remark that the model based on CA is a linear one. In addition, 
for each one of the previous automata there are state cycles where the shrunken 
sequence is generated at any one of the cells. 

4 CA-Based Linear Models for the Clock-Controlled 
Shrinking Generators 

In this section, an algorithm to determine the pair of one-dimensional linear CA 
corresponding to a given CCSG is presented. Such an algorithm is based on the 
following results: 

Lemma 4.1 The characteristic polynomial of the output sequence of a CCSG 
is of the form P'{x)^ , where P'(x) G GF{2)[x] is a L2-degree polynomial and 
N is an integer satisfying the inequality 2^^^^'^' < N < 2^^^^^' . 

Sketch of proof. The idea of the proof is analogous to that one developed in 
Lemma 3.1. □ 

Remark that, according to the structure of the CCSGs, the polynomial P'{x) 
depends on the characteristic polynomial of the register i?2, the length ii of the 
register Ri and the decimation function Xf. Before, P{x) was the characteristic 
polynomial of the cyclotomic coset E, where E = 2" + 2^ -I- ... -I- 2^^"^ was 
a fixed separation distance between the digits drawn from the sequence {bi}. 
Now, this distance D is variable and is a function of Xt . The computation of 
D gives rise to the following result: 



Lemma 4.2 Let P2{x) G GF{2)[x] be the characteristic polynomial of R2 and 
let a be a root of P2{x) in the extension field GF{2'"^). Then, P'{x) S GF{2)[x] 
is the characteristic polynomial of cyclotomic coset D, where D is given by 



D 



2^1-"' ij^i) -l = (l + 2"')2^ 



1. 



(7) 



i=l 



Sketch of proof. The idea of the proof is analogous to that one developed in 
Lemma 3.2. In fact, the distance D can be computed taking into account that 
the function Xt takes values in the interval [1, 2, . . . , 2™] and the number of 
times that each one of these values appears in a period of the output sequence 
is given by 2^1^"". A simple computation, based on the sum of the terms of an 
arithmetic progression, completes the sketch. □ 

From the previous results, it can be noticed that the algorithm to determine 
the CA corresponding to a given CCSG is analogous to that one developed in 
section 3; just the expression of E in equation (4) must be here replaced by the 
expression of D in equation (7). A simple numerical example is presented. 

Input: A CCSG characterized by: Two LFSRs Ri of length Li = 3 and R2 
of length L2 = 5 and characteristic polynomial P2 (x) = 1 + x + x'^ + x"^ + x^ 
plus the decimation function Xt = l + 2"Ao{t) + 2Mi(i) + 2'^A2{t) with w = 3. 

Step 1: P'{x) is the characteristic polynomial of the cyclotomic coset D. Now 
D = A mod 31, that is we are dealing with the cyclotomic coset 1. Thus, 
the corresponding characteristic polynomial is: 



P'{x) 



1 



Step 2: From P'{x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P'{x) can be 
determined. Such CA are written in binary format as: 

10 
1 

Step 3: Computation of the required pair of CA. 
For the first automaton: 



10 

10 110 1 

1000110000000 

For the second automaton: 



110 1 (final automaton) 



1 

0000000000 

00000000011000000000 (final automaton) 



10 



For each automaton, the procedure in Step 3 has been carried out twice 
as ii — 1 = 2. 

Output: Two binary strings of length n — 2Q codifying the required 
CA. 

Remark 4.3 From a point of view of the CA-based linear models, the shrinking 
generator or any one of the CCGS are entirely analogous. Thus, the fact of 
introduce an additional decimation function does neither increase the complexity 
of the generator nor improve its resistance against cryptanalytic attacks since 
both kinds of generators can be linearized by the same class of CA-based models. 

5 A Simple Approach to the Output Sequence 
Reconstruction for this Class of Sequence Gen- 
erators 

Since CA-based Unear models describing the behavior of CCSGs have been 
derived, a cryptanalytic attack that exploits the weaknesses of these models has 
been also developed. It consists in reconstructing the CCSG output sequence 
from an amount of such a sequence (the intercepted subsequence). The key idea 
of this attack is based on the study of the repeated sequences in the automata 
under consideration and the relative shifts among such sequences. In fact, the 
sequence at a extreme cell of the automaton is repeated on average once out 
of L2 cells. In order to determine these shifts, the algorithm of Bardell [2] to 
phase-shift analysis of CA is applied. The approach is composed by several 
steps: 

• Step 1: The portion of M intercepted bits of the output sequence is placed 
at the most right (left) cell of one of the automata. This provides shifted 
portions of the same output sequence produced at different cells. The 
lengths of these subsequences are (on average) (M — L2), (M — 2L2), (M — 
3X2), . . . , (A/ - PL2) where p = [M/L2\ . 

• Step 2: The locations of the different cells that generate the same output 
sequence as well as the relative shifts among these sequences are detected 
via Bardell's algorithm. 

• Step 3: Repeat Steps 1 and Step 2 for every one of the subsequences 
obtained above. 

Summing up the contributions of the bits provided by each automaton, we 
obtain that the total number of bits reconstructed is 

Nt ~ Mp^ = M{M/L2Y (8) 

We know not only this number of bits but also the precise location of such bits 
along the sequence. Notice that we have two different CA plus an additional 
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pair of CA corresponding to the reverse version of the output sequence (the 
pair associated to the reciprocal polynomial of P2{x)). In addition, for each 
automaton the intercepted M-bit sequence can be placed either at the most 
right cell or the most left cell producing different locations of the same sequence. 
Thus, each one of the different automata will contribute to the reconstruction of 
the output sequence with a number of bits given by the equation (|H]). Moreover, 
remark that the output sequence for these generators is an interleaved sequence 
[TT] made out of a fixed PA^-sequence. Hence, the portions of the reconstructed 
subsequence allow us to fix the starting point of many of these PA^-sequences. 
The rest of the bits of each PTV-sequence can be easily derived. 

Once the previous steps are accomplished, the original output sequence can 
be reconstructed by concatenating all different reconstructed subsequences. 

Finally, let us see a simple example of application of Bardell's algorithm. 

Example 3: Let us consider a cellular automaton with the following char- 
acteristics: 

• Number of cells n — IQ 

• Automaton under study in binary format: 0011001100 

• Characteristic polynomial (1 + a; + a;'^ + x"* + .x^)^ . 

Let S be the shift operator defined on AT^ {i = 1, . . . , 10), the state of the 
j-th cell , such as follows: 

SX,{t)^X,{t + l). 

Thus, the corresponding difference equation system for the previous automaton 
can be written as follows: 

SXi — X2 SX2 = Xi + X^ . . . SXio = Xq . 
Next expressing each X^ as a function of ATiq, we obtain the following system: 



Xi -- 

X2 = 


= iS'^ + S^ + S^ + S^ + S+ l)Xio 

= (5^ + 5-^ + ^5 + 5"* + ^3 + 5 + l)Xio 


Xq -- 


= {S)X,o. 



Analogous results can be obtained expressing each Xi as a function of Xi . 
Now taking logarithms in both sides of the equalities, 

logiX^) = logiS"^ + S^ + S^ + S^ + S + 1) + log{Xw) 
log{X2) = logiS"^ + S'^ + S^ + S^ + S^ + S + 1) + logiXia) 



logiXr,) = logiS) + log{Xw)- 

12 



The base of the logarithm is R{S) and the values of the logarithms are 
integers over a finite domain. According to the Bardell's algorithm, we deter- 
mine the integers m (if there exist) such that S"^ modR{S) equal the different 
polynomials in S included in the above system. For instance, 

S^'^ mod R{S) ^ S^ + 1 . 

Or simply, 5*26 = 5^ + 1 and 261og(S') = log{S^ + I) with log{S) = 1. Now 
substituting in the previous system, the following equations can be derived: 

logiXs) ~ log{Xio) = 1 
log{Xs) ~ log{Xio) - 26 
log{X4) ~ log{Xio) = 6 



log{X2) - log{Xi) = 1 
log{X3) - log{Xi) - 26 
log{Xj) - log{Xi) = 6. 

The phase-shifts of the outputs 9, 8 and 4 relative to cell 10 are 1, 26 and 
6 respectively. Similar values are obtained in the other group of cells, that is 
cells 2, 3 and 7 relative to cell 1. The other cells generate different sequences. 
Further contributions to phase-shift analysis of CA based on 90/150 rules can 
be found in [16] and [8]. 

6 Conclusions 

A wide family of LFSR-based sequence generators, the so-called Clock-Controlled 
Shrinking Generators, has been analyzed and identified with a subset of linear 
cellular automata. In this way, sequence generators conceived and designed 
as complex nonlinear models can be written in terms of simple linear models. 
An easy algorithm to compute the pair of one-dimensional linear hybrid cellu- 
lar automata that generate the CCSG output sequences has been derived. A 
cryptanalytic approach based on the phase-shift of cellular automata output 
sequences is proposed. From the obtained results, we can create linear cellu- 
lar automata-based models to analyse/cryptanalyse the class of clock-controlled 
generators. 
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